For some time now there has been much talk about mobile security on all the different platforms. Some security researchers/companies would have you believe that there is a pandemic of malware on the horizon, if it is not here already. Equally, there are those who read such claims and cry, “FUD” (fear, uncertainty and doubt), saying that the platform is secure and the risks overplayed by those who have an agenda (selling you protection apps). Personally, I think the truth may lie somewhere between those extremes – the threats are certainly real, make no mistake, but just how many people do you know whose phone or tablet has been infected???
Irrespective of where the truth lies, its good to see that Google recognises the need to increase security with each new iteration of the Android platform. The latest release, 4.1 Jelly Bean, promises to be the most secure yet. One of the key areas of improvement is the implementation of ASLR (Address Space Layout Randomisation). In simplish terms this means that many memory locations, such as the stack, heap and library, are randomised which means that if a hacker should exploit the memory to insert a malicious payload then they’ll have no way on knowing where it will end up.
ASLR was, of course, present in Ice Cream Sandwich (4.0) but the implementation wasn’t so great. The changes made for Jelly Bean should make things much tougher for the bad guys.
As Charlie Miller told ArsTechnica,
“Jelly Bean is going to be the first version of Android that has full ASLR and DEP, so it’s going to be pretty difficult to write exploits for that.”
Overall then, it seems like a step in the right direction but will it help dispel rumours of Android’s vulnerability to malware? Judging by the volume of security apps for the platform I rather suspect it won’t, but do you think it should??